Navigate:

NDAA seeks to disarm hackers

Lawmakers are poised to greenlight a defense bill that would add millions of dollars to federal cybersecurity programs while requiring contractors to inform the government in the event of a cyberattack.

The conference report on the House and Senate floors Thursday preserves notable increases to Pentagon programs meant to stave off foreign hackers and research new ways to defeat them. But the reconciled 2013 bill also includes new cybersecurity reporting and procurement rules that many in the tech industry are just now reviewing.

Text Size

-

+

reset

The House and Senate are barreling before Christmas toward passage of the National Defense Authorization Act after lawmakers from both chambers huddled for weeks to reconcile significant differences between their bills.

Many of the disputes have focused on thorny political matters like indefinite detention and not technology policy.

Still, the NDAA had been critical for the tech sector because of the increased role the Pentagon is playing in cyberspace. The 2012 bill reflects that reality as lawmakers preserved funding for the Department of Defense’s Cyber Command, for example, while putting aside millions of dollars in new funds for key research and development programs. It’s difficult to measure the total Pentagon cyberspending because those dollars are folded into other accounts and IT purchases — and much of it is classified.

Yet the funding only complements a torrent of new programs meant to safeguard Pentagon computers, address potential software vulnerabilities and shield classified federal information from digital spies. Many of the expected congressional mandates, however, aren’t necessarily ideas tech companies wholeheartedly support — though defense leaders certainly scaled back their original plans to address industry concerns.

The most controversial of the new initiatives would require defense contractors to report to the government if their systems or networks are subject to cyberintrusions.

The idea owes its origins to the final days of the Senate’s debate, when Armed Services Committee Chairman Carl Levin (D-Mich.) unveiled a robust and broad cyber-reporting amendment that passed with other tweaks. It was a marked contrast to the defense bill that cleared the House, which didn’t even touch the issue.

Nevertheless, tech companies quickly expressed deep dissatisfaction with Levin’s play. Associations like the Business Software Alliance and TechAmerica soon wrote lawmakers to oppose the proposed Senate mandate. Those groups felt it would prove too costly and cumbersome to the industry.

Many tech associations also favored the existing system — a voluntary reporting program known as the Defense Industrial Base pilot — and feared the Senate’s NDAA would steamroll other cybersecurity work already under way at the Pentagon.